rubo77 / log4j_checker_beta Goto Github PK

If any app bundles the JVM in their own package, 'java' might not be installed but one such apps could still be vulnerable.

Maybe add find /|grep log4j|grep -v log4js?

Given an EAR file a.ear containing amongst others eg. a WAR file b.war which again contains a JAR file named c.jar which may contain a repackaged / rebundled version of the susceptible JndiLookup/JndiContextSelector.classes make the script recurse into a.ear to unpack b.war and then c.jar to generate the hashes for comparison of the class files.

Ie. can the script run a recursive, depth-first search to find log4j or the suspected Class files in any packaged EAR/WAR/JAR combination our fellow developers came/come up with when developing and adding dependencies to their application stack of libraries ?

I would like to vote for such a deep inspection feature as I cannot get most other frameworks python3, Go based to run on the Servers for lack of language support.

Many thanks

Getting an error when running the script on MacOS

$ wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - |bash
[INFO] using default hash file. If you want to use other hashes, set another URL as first argument
mktemp: illegal option -- -
usage: mktemp [-d] [-q] [-t prefix] [-u] template ...
mktemp [-d] [-q] [-u] -t prefix
--2021-12-30 12:00:52-- https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/hashes-pre-cve.txt

From the man page
`OPTIONS
The available options are as follows:

 -d      Make a directory instead of a file.

 -q      Fail silently if an error occurs.  This is useful if a script does not want error output to go to standard error.

 -t prefix
         Generate a template (using the supplied prefix and TMPDIR if set) to create a filename template.

 -u      Operate in ``unsafe'' mode.  The temp file will be unlinked before mktemp exits.  This is slightly better than mktemp(3) but still introduces a race
         condition.  Use of this option is not encouraged.`

Nice work, but I am missing vulnerable JndiLookup.class sha256sum hashes. Can anybody checkin to this project? Did not find anything on the net (there are hashes for log4j-core-xx.jar files, however available from the Apache repository), but it is pointless here to test on a .class level

2.You might not want to execute the hashing on the production machine /VM (cpu load), so I suggest to add some possibilties to check on a local machine and access the webserver only via ssh and pulling the .jar files to test. This might also circumvent where the webserver is blocked by a firewall for outgoing requests (either wget or curl).

This is handy if you want to work on tmpfs and /tmp is not tmpfs
I added

export TMPDIR="$(pwd)"

just before

dir_temp_hashes=$(mktemp -d -t ${PROGNAME}_XXXXXX)

This should allow you to run log4j_checker_beta.sh from wherever you may have tmpfs and have the temp folder created locally

@whenselm: in #27 you said:
Added one JndiLookup.class hash (which is the recommended quick workaround to remove it if logging is not needed). Otherwise you'll receive false positives. Need to add other JndiLookup.class version hashes and a cmdline argument which hashes to use in main code

What do you mean? How could we enhance this?

I don't know if any RH based distros use DNF but do not have Yum installed. Currently, I do not know of any RH based distro that does not have YUM installed, but I just don't know for sure.

The script fails to find wget - even though I used wget to download it.

I think that is because of a typing error in line 117.

if [ $(command -v wgdet) ]; then`

I worked around 2 problems:

1. some of my servers have no internet connection so I need to be able to work on a cached vulnerable.hashes
   2)the one line thing I worked around with an array
   there are the workarounds:

dir_temp_hashes=$(mktemp -d --suffix _log4jscan)
file_temp_hashes="$dir_temp_hashes/vulnerable.hashes"
if [ -f vulnerable.hashes -a -s vulnerable.hashes ]
then
  ok_hashes=1
  cp vulnerable.hashes $dir_temp_hashes
  information "using cached vulnerable.hashes "
else
  information "no vulnerable.hashes cached ... downloading"
ok_hashes=
if [[ -n $SHA256_HASHES_URL && $(command -v wget) ]]; then
  wget  --max-redirect=0 --tries=2 -O "$file_temp_hashes.in" -- "$SHA256_HASHES_URL"
elif [[ -n $SHA256_HASHES_URL && $(command -v curl) ]]; then
  curl --globoff -f "$SHA256_HASHES_URL" -o "$file_temp_hashes.in"
fi
if [[ $? = 0 && -s "$file_temp_hashes.in" ]]; then
  cat "$file_temp_hashes.in" | cut -d" " -f1 | sort | uniq  > "$file_temp_hashes"
  ok_hashes=1
  information "Downloaded vulnerable hashes from $SHA256_HASHES_URL"
  cp $file_temp_hashes .
fi
fi

and the other thing about the one line thing from find_jar_files

JarArray=($(find_jar_files))
#  while read -r jar_file; do
  for ((i=0;i<${#JarArray[*]};i++))
  ....
  ....
  ....
    done
#  done <<<$(find_jar_files)

Sorry I've no time to make a patch file or to clone edit and suggest a pull

Do I need hashes for it to work? If so, where can I download them?

dpkg -l|grep log4j; should not be dpkg -l|grep log4j|grep -v log4jsj;?

This takes to much time for me. I am looking for someone I can transfer the ownership of the repository

LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.9.2009 (Core)
Release: 7.9.2009
Codename: Core

$ sudo wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - |bash
bash: line 15: information: command not found

Just use a counter instead. This counter could also be shown in the message